UMD researchers formulate cyber protection for supply chains

The supply chain is ground zero for several recent cyber breaches. Hackers, for example, prey on vendors that have remote access to a larger company's global IT systems, software and networks.

In the 2013 Target breach, the attacker infiltrated a vulnerable link: a refrigeration system supplier connected to the retailer's IT system.

A counter-measure, via a user-ready online portal, has been developed by researchers in the Supply Chain Management Center at the University of Maryland's Robert H. Smith School of Business.

The portal is based on a new management science called "cyber supply chain risk management." It combines conventionally-separate disciplines cybersecurity, enterprise risk management and supply chain management.

Funded by the National Institute of Standards and Technology, the UMD researchers developed the formula, in part, after surveying 200 different-sized companies in various industries.

"We found that, collectively, the cyber supply chain is fragmented and stovepiped, and companies are ill-prepared to sense and respond to risks in real time," said research professor and center co-director Sandor Boyson, who collaborated on the study and portal design with faculty-colleague/center co-director Thomas Corsi, research fellow Hart Rossman and UMD-Smith CIO Holly Mann. "Just half of our subjects used an executive advisory committee such as a risk board to govern their IT-system risks."

The findings are published as "Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems" in the peer-reviewed industrial engineering journal Technovation. http://ter.ps/73f

The researchers leveraged the study into the portal. Companies can log on, cost-free, at http://cyberchain.rhsmith.umd.edu and track developing threats, plus map their IT supply chains and anonymously measure themselves against industry peers and NIST standards.

A special formula measures the risk levels of each company asset. The Common Vulnerability Scoring System – standard for analyzing software systems – is adapted to analyze the entire range of assets connected to the cyber supply chain.

Firms can compare corporate disclosures, exposures and vulnerabilities to those of peer companies via an insurance-risk analysis framework provided by The Willis Group. The global insurance broker's database of aggregated SEC-reported cyber attacks—mandated for public companies – supports this tool.

The portal is scalable. About 150 various-sized companies have completed at least one or more of the aforementioned functions. Fifteen of those firms completed all three assessments and represent industries including high-tech aerospace manufacturing, telecommunication, real estate, and medical and professional services.

"The portal not only helps individual organizations understand their risk and how they can better manage it. By doing so, this bolsters the resilience and security posture of the entire ecosystem of the U.S. economy," said Jon Boyens, senior advisor for information security in NIST's computer security division. "While this ecosystem has evolved to provide a set of highly refined, cost-effective, reusable products and services that support the U.S. economy, it has also increased opportunities for adversaries and made it increasingly difficult for organizations to understand their risks."

The study is entering a fifth phase focused on federal agency-private contractor supply chains. The UMD-Smith researchers subsequently will update the portal and train managers of participating agencies and contractors to efficiently and effectively use the separate functions.

Related Stories

The National Institute of Standards and Technology (NIST) has published a second public draft of Supply Chain Risk Management Practices for Federal Information Management Systems and Organizations for public comment. The ...

The National Institute of Standards and Technology (NIST) has published the final version of Notional Supply Chain Risk Management Practices for Federal Information Systems. This guide offers an array of supply chain assurance ...

After a successful pilot project held in five states, the National Institute of Standards and Technology (NIST) Hollings Manufacturing Extension Partnership (MEP) has launched a new supply chain optimization program to help ...

Climate indicators and country risk ratings developed by the University of Notre Dame Global Adaptation Index (ND-GAIN) will be instrumental in a new partnership announced Tuesday (Feb. 25) whose goal is to develop the Climate ...

Nothing beats the feeling of starting up a new computer - be it a laptop, desktop or a major, custom-designed computing system. A new system is a blank slate with no worry of botnets, viruses or any other cybersecurity hazards.

If you want to know how to make a sneaker with better traction, just ask a snake. That's the theory driving the research of Hisham Abdel-Aal, Ph.D., an associate teaching professor from Drexel University's College of Engineering ...

A 10-fold increase in the ability to harvest mechanical and thermal energy over standard piezoelectric composites may be possible using a piezoelectric ceramic foam supported by a flexible polymer support, according to Penn ...

For its updated news application, Google is doubling down on the use of artificial intelligence as part of an effort to weed our disinformation and help users get viewpoints beyond their own "filter bubble."